Fix build with OpenSSL 1.1.0 (security/openssl-devel)

- Remove BROKEN_SSL=openssl-devel Reference: https://bugs.python.org/issue30622 b2d096bd2a PR: 222795 Submitted by: brnrd MFH: 2018Q1
svn path=/head/; revision=461915
2025-07-18 09:49:18 -04:00 · 2018-02-15 12:47:58 +00:00 · 2018-02-15 12:47:58 +00:00 · 1d451321eb · 2021-03-31 03:12:20 +00:00
commit 1d451321eb
parent 39ad98cdc7
2 changed files with 128 additions and 2 deletions
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@ -14,8 +14,6 @@ COMMENT=	Interpreted object-oriented programming language
 LICENSE=	PSFL
 BROKEN_SSL=	openssl-devel
 USES=		cpe ncurses pathfix pkgconfig readline:port shebangfix ssl tar:xz
 PATHFIX_MAKEFILEIN=	Makefile.pre.in
 USE_LDCONFIG=	yes
--- a/lang/python27/files/patch-issue30622
+++ b/lang/python27/files/patch-issue30622
@ -0,0 +1,128 @@
 From b2d096bd2a5ff86e53c25d00ee5fa097b36bf1d8 Mon Sep 17 00:00:00 2001
 From: Melvyn Sopacua <melvyn-sopacua@users.noreply.github.com>
 Date: Mon, 4 Sep 2017 23:35:15 +0200
 Subject: [PATCH] bpo-30622: Change NPN detection: (#2079)
 * Change NPN detection:
 Version breakdown, support disabled (pre-patch/post-patch):
 - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
 - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will not be defined ->
 False/False
 - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
 OPENSSL_NO_NEXTPROTONEG will be defined -> True/False
 Version breakdown support enabled (pre-patch/post-patch):
 - pre-1.0.1: OPENSSL_NPN_NEGOTIATED will not be defined -> False/False
 - 1.0.1 and 1.0.2: OPENSSL_NPN_NEGOTIATED will be defined and
 OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
 - 1.1.0+: OPENSSL_NPN_NEGOTIATED will be defined and
 OPENSSL_NO_NEXTPROTONEG will not be defined -> True/True
 * Refine NPN guard:
 - If NPN is disabled, but ALPN is available we need our callback
 - Make clinic's ssl behave the same way
 This created a working ssl module for me, with NPN disabled and ALPN
 enabled for OpenSSL 1.1.0f.
 Concerns to address:
 The initial commit for NPN support into OpenSSL [1], had the
 OPENSSL_NPN_* variables defined inside the OPENSSL_NO_NEXTPROTONEG
 guard. The question is if that ever made it into a release.
 This would need an ugly hack, something like:
 	#if defined(OPENSSL_NO_NEXTPROTONEG) && \
 		!defined(OPENSSL_NPN_NEGOTIATED)
 	#	define OPENSSL_NPN_UNSUPPORTED 0
 	#	define OPENSSL_NPN_NEGOTIATED 1
 	#	define OPENSSL_NPN_NO_OVERLAP 2
 	#endif
 [1] https://github.com/openssl/openssl/commit/68b33cc5c7
 --- Modules/_ssl.c.orig	2017-09-16 17:38:35 UTC
 +++ Modules/_ssl.c
@@ -280,7 +280,7 @@ static unsigned int _ssl_locks_count = 0
 typedef struct {
     PyObject_HEAD
     SSL_CTX *ctx;
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     unsigned char *npn_protocols;
     int npn_protocols_len;
 #endif
@@ -1502,7 +1502,7 @@ static PyObject *PySSL_version(PySSLSock
     return PyUnicode_FromString(version);
 }
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 static PyObject *PySSL_selected_npn_protocol(PySSLSocket *self) {
     const unsigned char *out;
     unsigned int outlen;
@@ -2030,7 +2030,7 @@ static PyMethodDef PySSLMethods[] = {
      PySSL_peercert_doc},
     {"cipher", (PyCFunction)PySSL_cipher, METH_NOARGS},
     {"version", (PyCFunction)PySSL_version, METH_NOARGS},
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     {"selected_npn_protocol", (PyCFunction)PySSL_selected_npn_protocol, METH_NOARGS},
 #endif
 #ifdef HAVE_ALPN
@@ -2140,7 +2140,7 @@ context_new(PyTypeObject *type, PyObject
         return NULL;
     }
     self->ctx = ctx;
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     self->npn_protocols = NULL;
 #endif
 #ifdef HAVE_ALPN
@@ -2216,7 +2216,7 @@ context_dealloc(PySSLContext *self)
 {
     context_clear(self);
     SSL_CTX_free(self->ctx);
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     PyMem_FREE(self->npn_protocols);
 #endif
 #ifdef HAVE_ALPN
@@ -2246,7 +2246,7 @@ set_ciphers(PySSLContext *self, PyObject
     Py_RETURN_NONE;
 }
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) || defined(HAVE_ALPN)
 static int
 do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
                       const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -2270,7 +2270,9 @@ do_protocol_selection(int alpn, unsigned
     return SSL_TLSEXT_ERR_OK;
 }
 +#endif
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
 static int
 _advertiseNPN_cb(SSL *s,
@@ -2305,7 +2307,7 @@ _selectNPN_cb(SSL *s,
 static PyObject *
 _set_npn_protocols(PySSLContext *self, PyObject *args)
 {
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     Py_buffer protos;
     if (!PyArg_ParseTuple(args, "s*:set_npn_protocols", &protos))
@@ -4303,7 +4305,7 @@ init_ssl(void)
     Py_INCREF(r);
     PyModule_AddObject(m, "HAS_ECDH", r);
 -#ifdef OPENSSL_NPN_NEGOTIATED
 +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
     r = Py_True;
 #else
     r = Py_False;